Description
Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The vulnerability allows a local attacker to crash the Navicat for Oracle application by entering an excessively long password string during connection configuration. An unwary 550‑character payload exceeds the expected length and causes the program to terminate, resulting in a denial of service. This is a local denial of service; no data exfiltration or system compromise occurs.

Affected Systems

Navicat for Oracle version 12.1.15 is the affected product. The issue is reported only for this release; earlier or newer releases are not known to be vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, while an EPSS score below 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker must have local or physical access to the machine to exploit the flaw. By supplying a 550‑character string in the password field during connection setup, the application will crash. The impact is confined to the application layer and does not affect the underlying Oracle database.

Generated by OpenCVE AI on April 8, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Navicat for Oracle to the latest available version from the vendor.
  • Verify that the updated application no longer crashes when an overly long string is entered into the password field.
  • Restrict local access to the Navicat application to trusted users only, limiting the opportunity for attackers to inject malicious input.

Generated by OpenCVE AI on April 8, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Navicat navicat For Oracle
CPEs cpe:2.3:a:navicat:navicat_for_oracle:*:*:*:*:*:*:*:*
Vendors & Products Navicat navicat For Oracle

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
Title Navicat for Oracle 12.1.15 Password Field Denial of Service
First Time appeared Navicat
Navicat navicat
Weaknesses CWE-620
CPEs cpe:2.3:a:navicat:navicat:12.1.15:*:*:*:*:*:*:*
Vendors & Products Navicat
Navicat navicat
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Navicat Navicat Navicat For Oracle
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T13:53:07.017Z

Reserved: 2026-03-30T10:55:24.174Z

Link: CVE-2019-25653

cve-icon Vulnrichment

Updated: 2026-03-30T13:52:57.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T12:16:17.953

Modified: 2026-04-08T16:31:18.803

Link: CVE-2019-25653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:39Z

Weaknesses